The present invention relates generally to the field of content communication and more specifically to a system for communicating video content on demand through a communication network.
Conventional systems for delivering video content on demand to subscribers are becoming well known. VOD (video on demand) is an interactive service in which content (e.g., video) is delivered to a subscriber over a point-to-point network (e.g., a cable system) on an on demand basis. A subscriber may order and receive programming content at any time, without adhering to a predefined showing schedule. The subscriber is often provided VCR-like motion control functions, such as pause (freeze frame), slow motion, scan forward, and slow backward. The subscriber is typically allowed multiple viewings of a purchased program within a time window, e.g., 24 hours. VOD mimics (or exceeds) the level of control and convenience of rental video tapes. For a VOD service to prevent unauthorized access, the system implementing it provides some form of conditional access.
Conditional Access
The system implementing VOD provides the capability to limit content access to authorized subscribers only, as the contents delivered as part of the service are generally considered valuable intellectual properties by their owners. In cable and satellite television, such capability is known as conditional access. Conditional access requires a trustworthy mechanism for classifying subscribers into different classes, and an enforcement mechanism for denying access to unauthorized subscribers. Encryption is typically the mechanism used to deny unauthorized access to content (as opposed to carrier signal).
Entitlement Management Messages
EMMs (Entitlement Management Messages) are control messages that convey access privileges to subscriber terminals. Unlike ECMs (Entitlement Control Messages) (discussed below) which are embedded in transport multiplexes and are broadcast to multiple subscribers, EMMs are sent unicast-addressed to each subscriber terminal. That is, an EMM is specific to a particular subscriber. In a typical implementation, an EMM contains information about the monthly key, as well as information that allows a subscriber terminal to access an ECM which is sent later. EMMs also define the tiers for each subscriber. With reference to cable services, for example, a first EMM may allow access to HBO™, ESPN™ and CNN™. A second EMM may allow access to ESPN™, TNN™ and BET™, etc.
Entitlement Control Messages
In a conditional access system, each content stream is associated with a stream of ECMs that serve two basic functions: (1) to specify the access requirements for the associated content stream (i.e., what privileges are required for access for particular programs); and (2) to convey the information needed by subscriber terminals to compute the cryptographic key(s), which are needed for content decryption. ECMs are transmitted in-band alongside their associated content streams. Typically, ECMs are cryptographically protected by a “monthly key” which changes periodically, usually on a monthly basis. The monthly key is typically distributed by EMMs prior to the ECMs, as noted above.
Encryption
In a cable system, carrier signals are broadcast to a population of subscriber terminals (also known as set-top boxes). To prevent unauthorized access to service, encryption is often employed. When content is encrypted, it becomes unintelligible to persons or devices that don't possess the proper cryptographic key(s).
Disadvantageously, for VOD, real-time encryption poses much greater cost and space issues. A medium-sized cable system may have, for example, 50,000 subscribers. Using a common estimate of 10% peak simultaneous usage, there can be up to 5000 simultaneous VOD sessions during the peak hours. A typical encryption device can process a small number of transport multiplexes (digital carriers). Over 300 such real-time encryption devices will be needed to handle the peak usage in the example system. Such a large amount of equipment not only adds significantly to the system cost, but also poses a space requirement challenge.
One solution to the aforementioned problem is disclosed in copending related application entitled, “SYSTEM FOR SECURELY DELIVERING PRE-ENCRYPTED CONTENT ON DEMAND WITH ACCESS CONTROL,” Ser. No. 09/898,184, filed Jul. 3, 2001, which is hereby incorporated by reference in its entirety. In U.S. Ser. No. 09/898,184, a system is disclosed that encrypts content offline (typically before the content is requested by the user) before it is distributed to point-to-point systems such as cable systems. The system allows content to be encrypted once, at a centralized facility, and to be useable at different point-to-point systems. Advantageously, the pre-encrypted contents in the present invention have indefinite lifetimes. The system periodically performs an operation called ECM retrofitting, enabling the content to be useable in multiple systems and useable multiple times in the same system. The amount of data being processed during ECM retrofitting is very small (on the order of several thousand bytes). There is no need to reprocess the pre-encrypted contents. This is a significant advantage, as several thousand bytes represent only a tiny fraction of the size of a typical 2-hour video program, which is about 3 gigabytes (3,000,000,000 bytes) in size.
In a first embodiment, the system of U.S. Ser. No. 09/898,184, includes a content preparation system (CPS) for pre-encrypting the content offline to form pre-encrypted content; an encryption renewal system (ERS) for generating entitlement control messages (ECMs) that allow the pre-encrypted content to be decryptable for a designated duration; and a conditional access system (CAS). Conventionally, the CAS controls a population of set-top boxes using a randomly generated periodical key. Only with possession of the periodical key can the pre-encrypted content be decrypted by the set-top boxes. The periodical key is initially forwarded to the ERS which thereafter generates an ECM containing information regarding the periodical key.
Next, the ECM and the periodical key information are retrofitted to the pre-encrypted content and are forwarded with the pre-encrypted content to the subscriber terminals for decryption. In this fashion, the ERS may be connected to multiple systems (and their CASs) for ECM retrofitting for each CAS. As noted, the amount of data being processed during ECM retrofitting is very small relative to having to encrypt the content itself for every CAS system. The problem arises, however, that the periodical key must be securely conveyed from each CAS to the ERS. The ERS may be a server, for example, remotely located from the CAS located at a cable head end. Frequently, the communication link may be insecure such that unauthorized access can be gained by pirates. Once the periodical key is accessed, the pre-encrypted content is decryptable.
The security problem also applies to the CPS. As noted, the CPS is for pre-encrypting the content offline to form pre-encrypted content. An OLES (off-line encryption) device is the mechanism for carrying out the pre-encryption. The OLES receives clear content, encrypts the content and generates an associated encryption record for each encryption session. Disadvantageously, the OLES is susceptible to being stolen by pirates. In fact, when compromised, the OLES is potentially useable for an indefinite period, at least until the compromise is detected by manual means. The outputs of the OLES are valuable and the lost revenue from a compromised OLES may be relatively high.
Therefore, there is a need to resolve the aforementioned problems relating to conveying cryptographic keys to the ERS and securing the OLES and the present invention meets this need.